The false email message looks like this:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Body: Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities . . . How to install Run attached file q216309.exe How to use You don't need to do anything after installing this item. . . .
Attachment: Q216309.exe

Technical Details

When opening the Visual Basic file Q216309.exe, which contains parts of other viruses, the following files are created:
C:\Windows\Q216309.exe (122,880 Bytes), containing the full virus pack.
C:\Windows\Vtnmsccd.dll (122,880 Bytes) identical with Q216309.exe.
C:\Windows\BcTool.exe (32,768 Bytes), the part using Microsoft Outlook and SMTP.
C:\Windows\GfxAcc.exe (20,480 Bytes) the Backdoor Trojan, opening port 12378.
C:\Windows\02_N803.dat (variable size), the file containing the collected email addresses.
C:\Windows\WinNetw.exe (20,480 Bytes), which looks for email addresses and is saved as 02_N803.dat.

The worm also works over networks. It tries to find all Startup directories over the network:
- Windows 2000
On Windows 2000 computers, it tries to copy itself in C:\Documents and Settings\%Infected Computer User Name%\Start Menu\Programs\Startup.
-Windows 98
On Windows 98 computers, it tries to copy itself in C:\Windows\Start Menu\Programs\Startup.
-Windows NT
On Windows NT computers, it tries to copy itself in C:\Winnt\Profiles\%Infected Computer User Name%\Start Menu\Programs\Startup.